|
I think now I have around 3500+ groups that has way long CN
and displayname mostly created by ADC, so in the samaccountname its only taking
the first 20 characters...
Personally i prefer shortnames as exchange only uses
displayname for address book so it doesnt matter whats the samaccountname or the
cn for the group.
I'm thinking of writing a script that renames the long cn
and samaccountname of the groups created by ADC to incremental groups - such as
example singroup1, singroup2, singroup3 (sin =
singapore)
Any comments whether it will break any functionality... or
is this a bad idea?
Thank you and have a splendid
day! Kind Regards, Freddy Hartono Group Support
Engineer InternationalSOS Pte Ltd mail:
[EMAIL PROTECTED] phone: (+65)
6330-9785
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, June 08, 2006 12:38 PM To: [email protected] Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I
have a customer with tens of thousands of what I would call long group names
(<=50 chars because of a bug in the app that owns them) and I haven’t seen
any group name related issue … I also haven’t fully followed this thread so I
may not be understanding the issue. Thanks, Brian
Desmond [EMAIL PROTECTED] c
- 312.731.3132 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Well for
normal AD there is no reason to handle them unless for some reason you don't
want them anymore. As for the ADC... It is a temporary POS... I am not sure how
much changing of the environment I would do to support it. I would start looking
at telling it to stop dorking with things. -- O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Freddy HARTONO Interesting
read... So since
i have thousands of groups with pretty long names - any suggestions on how do
you handle long groupnames? Do you create a short groupname and put the long
description on it...? Thank you and have a
splendid day! Kind
Regards, Freddy
Hartono Group Support
Engineer InternationalSOS
Pte Ltd mail: [EMAIL PROTECTED] phone: (+65)
6330-9785 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Here is
the most recent... From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe According
to the schema the sAMAccountName must be 0-256, however, this is one of the
famous SAM Attributes, the rules of the schema are not necessarily the rules
that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ -
which is a blog article titled "But the schema says description is multivalued."
The
sAMAccountname is fun because it depends on the object type it is applied to.
For instance a user object peaks out at 20 even with LDAP. Localgroup
names I believe could go to 256 characters if you knew how. You can definitely
go that high on the local SAM on workstations. Even
with NET.EXE you can create and manipulate domain local groups with greater than
20 characters. In fact I just doublechecked and easily handled creating,
populating, and deleting a group with 100 characters. The pinch though is
when you are trying to add that group to another group. NET.EXE screws that up
and throws the usage screen. However, that doesn't mean it can't be done and
that the API doesn't handle it. If you grab my LG tool from the website
(http://www.joeware.net/win/free/tools/lg.htm) it
will do it and I can guarantee it uses the LEGACY NET API. I wrote the
main code used in that tool initially back in about 1997 or 1998 or so.
I do
recall in the early days of W2K some kind of an issue with group names though
while importing them into AD from NT4 Domains. If the group was too long it
would instead get a random sAMAccountName which I thought was quite fun. I ended
up having to put in a check script after every migration to make sure that cn's
and SAM Names matched up. Interestingly
enough, MS has put an attribute into AD to hint at some point upcoming support
for turning off the LANMAN support which artifically limits say a userid SAM
Name to 20 characters called uASCompat. However, currently that attribute seems
to be entirely read-only. I have not been able to find a way to change it the
various times I have poked through the source code.
joe -- O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Free, Bob Look
for the "Net localgroup limitation?" thread in January of this year,
particularly joe's message of 1/23/2006 8:35 PM Also
his message of 2/20/2005 8:37 AM in thread "samAccountName attribute
length" Finally
his listing from lmcons.h
header file in "character
limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I
don't have the links handy, those are from a search of my personal
archives. HTH From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al Mulnick Jorge, if you happen to find that in the archives, please
post the link. A quick search of the net brings back some items that seem to
indicate that greater than 20 could result in a problem with some directory sync
tools. samaccountname is listed as being expected to be 20
chars. It doesn't differentiate between groups and users that use the
samaccountname. That just "seems" like a recipe for issues, but if you say
it can be 256 without issue, then.... (I know Joe, you're using 64 and so did
Jorge, but it looks like it was done for convenience vs. going with more chars.)
Interesting. On 6/6/06, Almeida Pinto, Jorge
de <[EMAIL PROTECTED]>
wrote: About a year and a half ago I
have tested this as I was doing a migration from NDS to AD. Worked like a charm!
(I even did tests for legacy clients like W9x as those were my biggest concern,
did not find anything) The NDS groups were > 64 chars and accepted all kinds
of funny chars. I had to cut them down to < 64 chars. |
- RE: [ActiveDir] OT: Samaccountname attribute (20 char limit... Freddy HARTONO
